cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

What We’re Working on for Log Analyzer (Updated Nov 13th 2019)

Since the release of Log Analyzer 2019.4, there have been a lot of things going on behind the scenes here at SolarWinds. Everything from new LA specific features to Orion platform enhancements are in the works! See below:

  • Flat log file ingestion - Collect flat logs from applications running on Orion nodes utilizing the Orion agent.
  • Continued feature parity work for syslogs and traps
  • Analytics - we want to find problems you didn't know you have, by leveraging machine learning capabilities to detect anomalies in your log data.
  • Sub-string Extraction - Create custom metrics and identify strings to be used as variables in alerting etc.
  • New dashboard framework - Next generation summary dashboard framework.
  • UI performance optimizations - Faster and more responsive web UI.
  • Centralized upgrades - Pre-stage upgrades for reduced downtime.
  • Orion maps - Bridging the feature parity gap with Network Atlas.

As always we welcome your input! If you have an idea for Log Analyzer be sure to post it in our feature request forum.

Comments

These three features will make this product a must have for many of us....

I think that this will be a very interesting product once the Alert Integration is completed.

LogManager should be "part off" NPM installation, syslog's and trap's are regular log's that must be analysed by NPM in order to have a good view of the network.  So I recommend that this will be part of the NPM....

having the 3 features mentioned would be great.. this is something most of the folks are waiting for....

When creating a new rule,in the add an action configuration window, the second option run an external program,What types of external programs are supported? such as vb? or python?

Without at least the trap & syslogs forwarding, we cannot install this module. We have complex forwarding rules per additional poller that are critical to our organization.

That being said, as an upgrade to something already in NPM, I dont understand why it's priced separately, and how to build a business case to buy a feature we currently have...

Syslog and trap forwarding is something we are actively working for Log Manager. I'd be interested in understanding your use case for forwarding - what tool do you need to forward your log data to? Which logs/traps do you typically need to forward? With regards to LM being priced separately, please see my comment here for an explanation on our plans for LM.

The 'Run an External Program' can be used to launch an executable. If you'd like to run a script such as PowerShell, you can launch an exe and then put the path to the script as a command line argument, like this:

Screenshot 2019-01-21 at 11.52.13.png

We use Solarwinds to aggregate traps & syslogs (Mostly traps) from private production sub networks. We filter some traps (Mostly the informational traps) and forward the remaining to our National NOC. The source IP of the trap identiify the network it came from to ensure proper treatment at the NOC.

Also, we use forwarding in our setup to palliate a lack of feature in Solarwinds. Let me explain:

We currently have a main Orion server and 2 additional pollers. Each additionnal poller is dedidated to a specific network. When a trap is coming to the AP, the AP forwards the trap, and based on source IP, the National NOC is treating the information.

When we generate a trap on an alert (i.e.: Node is down), even if the node is managed by one of the additional pollers, the trap is sent by the main Orion server. Since a part of our NOC workflow uses the source IP of trap to Identify the corresponding network, sending it from the main Orion server gets us into trouble... To bypass this issue, we send the alarm trap to 127.0.0.1, then we then have a rule that tag the trap and forward the trap to the AP. That AP would then forward the trap to the NOC with appropriate source IP so the alarms could be treated accordingly...

I have to maintain a Visio workflow diagram due to the many rules and Orion servers we have. it is time consuming and not really ideal. I hope this would change in LM one day.

jhynds​, regarding your comment about LM being priced separately you mention the following:

"I hope that gives you some comfort that we're committed to including syslog and trap functionality within NPM."

but from what I read, is that if we are going forward with upgrades without LM, I'll be stucked with a product that will not address our needs anymore and that we will be forced to buy another module (and add maintenance fees on top  of the many thousands we are already paying) to continue to do what we are doing today. Am I getting this right?

I understand the trap and syslog viewer interface has to be redefined as they are archaic, but it works. If you want to add functionalities I'm all about getting some money for that (We are already doing that by paying those maintenance fees), but it seems that soon I will feel that I am in a hostage situation...

Looking at the comparison it looks like this was added recently.

LA feature comparison

pastedImage_2.png

pastedImage_1.png

Log Forwarding was added as part of our 2.0 release. This will allow you to forward any important traps to your NOC, while preserving the IP Address of the AP the trap came from. Log Analyzer also provides Orion Alert Integration, however the 'Send an SNMP Trap' action within Orion alerting will always come from the Main Polling Engine as this is where the alert actions are executed.

You will not be forced to buy another module, syslog and trap monitoring is a critical component to any network monitoring system and we will continue to provide syslog/trap monitoring as part of NPM via 'Orion Log Viewer'. You can view more information here: Orion Log Viewer the New and Improved Version of the Syslog and Trap Viewers

Is this included in the newest Offline Installer? 

bobmarley  wrote:

Is this included in the newest Offline Installer? 

yes definitely! In older offline installer bundles it'd be listed as pastedImage_2.png

Thanks! I'm installing the new version today.

Sent test syslog messages with the following levels:

1-Alert

2-Critical

3-Error

4-Warning

5-Notice

6-Informational

7-Debug

pastedImage_4.png

Critical and Alert are the same color to me.

Any updates on this product?

bobmarley  wrote:

Sent test syslog messages with the following levels:

1-Alert

2-Critical

3-Error

4-Warning

5-Notice

6-Informational

7-Debug

pastedImage_4.png

Critical and Alert are the same color to me.

FYI jvb

Is this something we should plan to implement sooner rather than later?  Beyond the improved features over the old Viewer apps, are those doomed in the near future?

Thank you,

JoeP

I've just started using LA and I can't do a simple thing like forward a syslog to an email. Yes I can create the rule to fire off an alert, but I can't attach the actual syslog message to my alert.

Here's my thread on this.

Syslogs in NPM 12.5

Also in the past I was using syslog for instant alerting on link flapping. How am I supposed to do this with LA? With the alert only firing every 1 minute, it will miss link flapping syslogs.

Any ideas?

The alerting engine is evaluating everything on that one minute interval so it should still pick up events that triggered a rule in between those cycles.

Ah that's good to know. I will give it a test run

Actually I have a question for you, with the old syslogs I could look at a node's Summary page and in the Node Related 30 Syslog Messages widget, I could quickly and easily see all the syslogs associated with that node. Now that widget just says "There are no messages".

is there a different widget I should be using? Thanks.

Ah that's good to know. I will give it a test run

EDIT: So I gave it a test run and got the following results. My alert rule is set to check every 1min. For the image below, I received 3 emails. The ones I got an email for were 13:25:16, 13:26:17 & 13:27:20.

pastedImage_0.png

So you can see I missed 3 syslog email between each one that I did receive.

What can I do to ensure I actually receive every single single syslog?

At the moment there are no out of the box widgets that directly replace the ones you were using. The old ones are still looking at the old data tables. I am working on some SWQL based examples to bridge that gap in the short term and long term we intend to have native OOTB widgets linked to LA data.

Give me a bit to check on that. Verifying something with the team on that...

That sounds good. As soon as you have the short term fix, please share.

I made this custom query for my Node details pages.  I'm sure it's not as cool as the Solarwinds built in widget will be, because I don't really know anything about html.

SELECT TOP 100 -- Edit this number for how many messages you want to load to widget (you can modify the widget for how many messages to page)

let.Name AS [Message Type]

,Level AS [Severity]

,TOLOCAL(DateTime) AS [Log Time]

,SUBSTRING(Message,1,100) AS Message -- Edit the last number for how many characters of the message you want to see

,CONCAT('YOURORIONURLHERE','/ui/orionlog/logviewer/now/1hours/',${NodeID},'/syslog') AS _linkfor_Message --Replace YOURORIONURLHERE with the address ex:  'https://orion.abc.com'

FROM Orion.OLM.LogEntry le

JOIN Orion.OLM.LogEntryType let ON le.LogEntryTypeID = let.LogEntryTypeID

WHERE NodeID = '${NodeID}'

--AND le.Message LIKE '%${SEARCH_STRING}%' -- Remove The -- From beginning for the "Search SWQL Query" Box

ORDER BY DATETIME DESC

When will the substring extraction be ready? I am on 2019.4 RC1 and I have an urgent request from a client to extract a substrings from traps and I can find no way of doing it yet, even though I can find the trap text parsed as key:value in the database.

Awesome! That works beautifully. Thanks for sharing!

Was there an answer to the alert firing every minute and missing the syslog/traps sent between those minute intervals? e.g. in @superfly 's example image, he didn't get alerts for over half the messages.

My use case:

1. Traps coming in from system A, with a varbind changing for the alert message/fault

2. A filter has been set up for the trap type from System A  (cannot do individual varbind matches as there are over 1500 diff faults)

3. Every single trap that matches, needs to create a separate ServiceNow ticket.  If I get 10 traps in 5 seconds, I want 10 incidents - not 1.

In regards to Sub-string Extraction (Creating custom metrics and identify strings to be used as variables in alerting)

Will Sub-String Extraction be an included feature of the Orion Log Viewer (Basic) licensing of this product? 

Version history
Revision #:
1 of 1
Last update:
‎06-04-2018 11:17 AM